I need full disk encryption for business laptop computers running a current version of Windows 10 Pro. The computers have an NVMe SSD drive from Samsung and an Intel Core i5-8000 CPU.
From some web research today, there are currently only two options available: Microsoft BitLocker and VeraCrypt. I am fully aware of the state of open and closed source and the security implications that come with that.
After reading some information about BitLocker, which I had never used before, I have the impression that starting with Windows 10 BitLocker only encrypts newly written data on the disk but not everything that already exists, for performance reasons. (That documentation says I have a choice, but I don't. They didn't ask me what I want after activating it.) I have used TrueCrypt system encryption in the past and know that existing data encryption is a visible task that takes a few hours. I cannot observe such behaviour with BitLocker. No noticeable background CPU or disk activity.
Activating BitLocker is really easy. Click a button, save the recovery key somewhere safe, done. The same process with VeraCrypt made me abandon the idea. I needed to actually create a fully working recovery device, even for testing purposes on a throw-away system.
I've also read that VeraCrypt currently has a design flaw that makes some NVMe SSDs extremely slow with system encryption. I can't verify it because the setup is too complicated. At least after activating BitLocker, I can't see a significant change in disk performance. Also the VeraCrypt team has insufficient resources to fix that "complicated bug". Additionally, Windows 10 upgrades can't operate with VeraCrypt in place, which makes frequent full-disk de- and encryptions necessary. I hope BitLocker works better here.
So I'm almost settled on using BitLocker. But I need to understand what it does. Unfortunately, there is almost no information about it online. Most consists of blog posts that give an overview but no concise in-depth information. So I'm asking here.
After activating BitLocker on a single-drive system, what happens to existing data? What happens to new data? What does it mean to "suspend BitLocker"? (Not the same as permanently deactivating it and thereby decrypting all data on disk.) How can I check the encryption status or force the encryption of all existing data? (I don't mean unused space, I don't care about that, and it's required for SSDs, see TRIM.) Is there some more detailed data and actions about BitLocker other than "suspend" and "decrypt"?
And maybe on a side note, how does BitLocker relate to EFS (encrypted file system)? If only newly written files are encrypted, EFS seems to have a very similar effect. But I know how to operate EFS, it's much more understandable.
Best Answer
Activating BitLocker will start a background process which encrypts all existing data. (On HDDs this traditionally is a long process as it needs to read and rewrite every partition sector – on self-encrypting disks it can be instant.) So when it is said that only newly written data is encrypted, that refers to the state immediately after BitLocker activation and is no longer true once the background encryption task finishes. The status of this process can be seen in the same BitLocker control panel window, and paused if necessary.
The Microsoft article needs to be read carefully: it actually talks about encrypting only used areas of the disk. They merely advertise this as having the biggest impact on fresh systems, where you don't have any data yet besides the base OS (and therefore all data will be "newly written"). That is, Windows 10 will encrypt all your existing files after activation – it simply won't waste time encrypting disk sectors which don't contain anything yet. (You can opt out of this optimization via Group Policy.)
(The article also points out a downside: areas which previously held deleted files will also be skipped as "unused". So if encrypting a well-used system, do a free-space wipe using a tool, and then let Windows run TRIM if you have an SSD, all before activating BitLocker. Or use the Group Policy to disable this behavior.)
In the same article, too, there is a mention of recent Windows versions supporting self-encrypting SSDs using the OPAL standard. So the reason why you don't see any background I/O may be because the SSD was internally encrypted from day one, and BitLocker recognized this and only took over the SSD-level key management instead of duplicating the encryption effort at OS level. That is, the SSD no longer unlocks itself on power-on but requires Windows do to so. This can be disabled via Group Policy, if you prefer the OS to handle encryption regardless.
Suspending BitLocker causes a plaintext copy of the 'master' key to be written directly to disk. (Usually this master key is first encrypted with your password or with a TPM.) While suspended, this allows the disk to be unlocked on its own – clearly an insecure state, but it allows Windows Update to reprogram the TPM to match the upgraded OS, for example. Resuming BitLocker simply wipes this plain key from disk.
BitLocker is not related to EFS – the latter works at file level, associating keys to Windows user accounts (allowing fine-grained configuration but making it impossible to encrypt the OS's own files), while the former works at whole-disk level. They can be used together, although BitLocker mostly makes EFS redundant.
(Note that both BitLocker and EFS have mechanisms for corporate Active Directory administrators to recover the encrypted data – whether by backing up the BitLocker master key in AD, or by adding an EFS data recovery agent to all files.)